Why SMS banking is still a bad idea

Bank customers like the convenience of accessing data via text message, but security experts have concerns about financial textbots.

Bank with Capital One and you can have account information sent to you by text. In March 2017, the bank started piloting Eno, an SMS-based chatbot customers use to check balances, view transactions, and process similar requests. Users love it, spokesperson Shelley Solheim says, sharing that 95 percent recommend the bot and that since launch, "Eno [has] exchanged hundreds of thousands of texts.”

Sounds great from a marketing perspective, but what about security? “Obviously as a highly regulated bank, security and data privacy is a top concern for Capital One,” says vice president of conversational AI products Ken Dodelin. But experts say texting any financial info — no matter how basic — isn’t advisable. In addition to security issues all chatbots face, textbots come with SMS-specific concerns. For starters, text messages get stored on your phone, and depending on device settings, they’re also uploaded to an iCloud or Google Cloud-like service.

Is texting financial data ever safe?

“The short answer is no,” says Jim Lewis, solutions director for financial technology company SEI, “It's one of the least secure ways of delivering information.” For a while, it was popular for banks to text, especially to verify whether a charge was yours. He says most are moving away from the technology now -- especially after the National Institute of Standards and Technology (NIST) deprecated two-factor text authentication in 2016.

Dodelin says, “We had folks from across the company -- as is the case with any of our new innovations -- poke and prod this from every possible angle.” Solheim adds that security professionals are embedded in all phases of Capital One's product development efforts.